Pages

Saturday, February 4, 2012

Remote Code Execution on SkyMobile VTI Server

Recently, I got access to management web console of a new to me product called SkyMobile VTI Server. The web console itself was enough to allow complete access to the system as it was running with Administrative privileges and allowed file upload. All I needed to do was upload an asp meterpreter to wwwroot and get the work done.

But I wanted to have fun. After browsing through the console for few minutes I saw the unencrypted default configuration file.

In the configuration file, I saw a parameter called "JavaCommand" which calls JRE executable.

I uploaded a meterpreter executable, changed the "JavaCommand" variable to path of the uploaded meterpreter executable and restarted the service (Yes I restarted it, I know its _really_ bad, but I just did that)

Thanks. Usually, access to the the web status page is protected through identity management and all data and configurations are encrypted. You are obviously working off a development/demo version. The normal install is intentionally open with documentation on how to "harden" security for production systems. If this is a customer system, then you should report this and direct them to the SkyMobile help. Regards Sky support.